You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Brian Fohl <br...@gmail.com> on 2005/03/16 14:07:09 UTC
First commit fails??
When someone commits a file for the first time, it always fails
authenication. After that, on a second try, they are able to
authenticate and commit fine. What gives? Is this a known bug? I
haven't been able to find anything on it.
We are running SVN 1.13 on Apache 2, Windows 2000 Server, using LDAP
authentication into Active Directory.
Thanks,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: First commit fails??
Posted by Brian Fohl <br...@gmail.com>.
Yes, the repository is using FSFS...I'm aware of those BDB problems.
Thanks, Dominic.
-Brian
On Thu, 17 Mar 2005 16:05:17 -0500, Dominic Anello <da...@danky.com> wrote:
> On 2005-03-17 08:49:19 -0500, Brian Fohl wrote:
> > I did have to do a bit of tinkering to get the LDAP authentication to
> > work properly. I would appreciate it if you could shared what worked
> > for you, as well. Here's what I came up with that works (aside from
> > the first commit failing):
>
> We have almost exactly the same config, except that I use a regular user
> account to bind LDAP and DOMAIN\user instead of a CN= string. I'm not
> sure I can be of any more help.
>
> One thing that I did notice though is that your SVNParent path appears
> to point at a network share. Hopefully you're using FSFS and not BDB
> style repositories....
>
> <Location /ec-svn>
> DAV svn
> SVNPath "/usr/local/svn/ec-svn/repo"
> AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/access.ini"
> SVNIndexXSLT /xslt/svn-index.xsl
>
> AuthLDAPURL ldap://hoth/CN=Users,DC=isolution,DC=idx,DC=com?sAMAccountName?sub?(objectClass=user)
> AuthLDAPBindDN "ISOLUTION\danello"
> AuthLDAPBindPassword XXXXXXXXXXXXXXXXXXX
> AuthType Basic
> AuthName "eCommerce svn repository"
>
> <LimitExcept MERGE>
> Require valid-user
> </LimitExcept>
> </Location>
>
> >
> > <Location /svn>
> > DAV svn
> > SVNParentPath "//svrintranet01/RDrive/Subversion"
> > SVNAutoversioning on
> > SVNPathAuthz off
> >
> > # For any operations other than these, require an authenticated user.
> > <LimitExcept GET PROPFIND OPTIONS REPORT>
> > SetHandler ldap-status
> > Order deny,allow
> > Allow from all
> > AuthLDAPEnabled on
> > AuthLDAPURL
> > ldap://svr-dc1/CN=Users,DC=mycompany,DC=com?sAMAccountName?sub?(Objectclass=user)
> > AuthLDAPBindDN "CN=BrowserAccount,OU=Service Accounts,DC=mycompany,DC=com"
> > AuthLDAPBindPassword "XXXXXXXXXXXXXXXXXXXXXXX"
> > AuthLDAPAuthoritative on
> > require valid-user
> > AuthType Basic
> > AuthName "Subversion Read-only Repository"
> > </LimitExcept>
> > </Location>
> >
>
> --
> I felt that we two might commit some act so atrocious that the world,
> seeing us, would find it irresistible.
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: First commit fails??
Posted by Dominic Anello <da...@danky.com>.
On 2005-03-17 08:49:19 -0500, Brian Fohl wrote:
> I did have to do a bit of tinkering to get the LDAP authentication to
> work properly. I would appreciate it if you could shared what worked
> for you, as well. Here's what I came up with that works (aside from
> the first commit failing):
We have almost exactly the same config, except that I use a regular user
account to bind LDAP and DOMAIN\user instead of a CN= string. I'm not
sure I can be of any more help.
One thing that I did notice though is that your SVNParent path appears
to point at a network share. Hopefully you're using FSFS and not BDB
style repositories....
<Location /ec-svn>
DAV svn
SVNPath "/usr/local/svn/ec-svn/repo"
AuthzSVNAccessFile "/usr/local/svn/ec-svn/auth/access.ini"
SVNIndexXSLT /xslt/svn-index.xsl
AuthLDAPURL ldap://hoth/CN=Users,DC=isolution,DC=idx,DC=com?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN "ISOLUTION\danello"
AuthLDAPBindPassword XXXXXXXXXXXXXXXXXXX
AuthType Basic
AuthName "eCommerce svn repository"
<LimitExcept MERGE>
Require valid-user
</LimitExcept>
</Location>
>
> <Location /svn>
> DAV svn
> SVNParentPath "//svrintranet01/RDrive/Subversion"
> SVNAutoversioning on
> SVNPathAuthz off
>
> # For any operations other than these, require an authenticated user.
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> SetHandler ldap-status
> Order deny,allow
> Allow from all
> AuthLDAPEnabled on
> AuthLDAPURL
> ldap://svr-dc1/CN=Users,DC=mycompany,DC=com?sAMAccountName?sub?(Objectclass=user)
> AuthLDAPBindDN "CN=BrowserAccount,OU=Service Accounts,DC=mycompany,DC=com"
> AuthLDAPBindPassword "XXXXXXXXXXXXXXXXXXXXXXX"
> AuthLDAPAuthoritative on
> require valid-user
> AuthType Basic
> AuthName "Subversion Read-only Repository"
> </LimitExcept>
> </Location>
>
--
I felt that we two might commit some act so atrocious that the world,
seeing us, would find it irresistible.
Re: First commit fails??
Posted by Brian Fohl <br...@gmail.com>.
I did have to do a bit of tinkering to get the LDAP authentication to
work properly. I would appreciate it if you could shared what worked
for you, as well. Here's what I came up with that works (aside from
the first commit failing):
<Location /svn>
DAV svn
SVNParentPath "//svrintranet01/RDrive/Subversion"
SVNAutoversioning on
SVNPathAuthz off
# For any operations other than these, require an authenticated user.
<LimitExcept GET PROPFIND OPTIONS REPORT>
SetHandler ldap-status
Order deny,allow
Allow from all
AuthLDAPEnabled on
AuthLDAPURL
ldap://svr-dc1/CN=Users,DC=mycompany,DC=com?sAMAccountName?sub?(Objectclass=user)
AuthLDAPBindDN "CN=BrowserAccount,OU=Service Accounts,DC=mycompany,DC=com"
AuthLDAPBindPassword "XXXXXXXXXXXXXXXXXXXXXXX"
AuthLDAPAuthoritative on
require valid-user
AuthType Basic
AuthName "Subversion Read-only Repository"
</LimitExcept>
</Location>
Thanks,
Brian
On Wed, 16 Mar 2005 23:33:40 -0500, Dominic Anello <da...@danky.com> wrote:
> On 2005-03-16 12:07:47 -0500, Brian Fohl wrote:
> > Thanks for the advice, Dominic. I am loading mod_authz_svn, but I
> > have "SVNPathAuthz off" in my Location tag, so I don't know if that
> > matters. Here's the error I'm getting in the log:
> >
> > [Wed Mar 16 11:46:47 2005] [warn] [client 10.0.0.144] [972] auth_ldap
> > authenticate: user firstname.lastname authentication failed; URI
> > /svn/repo/!svn/act/5fb8bcac-3621-e84f-910d-ed334639c888 [LDAP:
> > ldap_simple_bind_s() failed][Unavailable]
> ----8<----
>
> Well, the man page for ldap_error has this in it:
> LDAP_UNAVAILABLE The DSA is unavailable.
>
> Not exactly helpful. DSA is directory server agent, which I guess is
> is the AD server in this case.
>
> I poked around a little bit and it seems like this error can be related
> to the ldap client being unable to negotiate an authentication protocol
> with the server. Did you compile mod_ldap with SSL enabled? I think I
> read somewhere that by default AD only accepts encrypted requests.
>
> The only other thing I can think of is maybe there is something wrong
> with your AuthLDAP parameters? I can post what worked for me tomorrow
> if you'd like.
>
> Again, don't take any of this as gospel, I just setup my configuration
> using an Apache/AD/LDAP recipe I found online.
>
> --
> I've been told that to get what you want
> You just gotta give what you can.
> But I know for what I want -- it don't come easy as that.
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: First commit fails??
Posted by Dominic Anello <da...@danky.com>.
On 2005-03-16 12:07:47 -0500, Brian Fohl wrote:
> Thanks for the advice, Dominic. I am loading mod_authz_svn, but I
> have "SVNPathAuthz off" in my Location tag, so I don't know if that
> matters. Here's the error I'm getting in the log:
>
> [Wed Mar 16 11:46:47 2005] [warn] [client 10.0.0.144] [972] auth_ldap
> authenticate: user firstname.lastname authentication failed; URI
> /svn/repo/!svn/act/5fb8bcac-3621-e84f-910d-ed334639c888 [LDAP:
> ldap_simple_bind_s() failed][Unavailable]
----8<----
Well, the man page for ldap_error has this in it:
LDAP_UNAVAILABLE The DSA is unavailable.
Not exactly helpful. DSA is directory server agent, which I guess is
is the AD server in this case.
I poked around a little bit and it seems like this error can be related
to the ldap client being unable to negotiate an authentication protocol
with the server. Did you compile mod_ldap with SSL enabled? I think I
read somewhere that by default AD only accepts encrypted requests.
The only other thing I can think of is maybe there is something wrong
with your AuthLDAP parameters? I can post what worked for me tomorrow
if you'd like.
Again, don't take any of this as gospel, I just setup my configuration
using an Apache/AD/LDAP recipe I found online.
--
I've been told that to get what you want
You just gotta give what you can.
But I know for what I want -- it don't come easy as that.
Re: First commit fails??
Posted by Brian Fohl <br...@gmail.com>.
Thanks for the advice, Dominic. I am loading mod_authz_svn, but I
have "SVNPathAuthz off" in my Location tag, so I don't know if that
matters. Here's the error I'm getting in the log:
[Wed Mar 16 11:46:47 2005] [warn] [client 10.0.0.144] [972] auth_ldap
authenticate: user firstname.lastname authentication failed; URI
/svn/repo/!svn/act/5fb8bcac-3621-e84f-910d-ed334639c888 [LDAP:
ldap_simple_bind_s() failed][Unavailable]
On Wed, 16 Mar 2005 10:58:45 -0500, Dominic Anello <da...@danky.com> wrote:
> On 2005-03-16 09:07:09 -0500, Brian Fohl wrote:
> > When someone commits a file for the first time, it always fails
> > authenication. After that, on a second try, they are able to
> > authenticate and commit fine. What gives? Is this a known bug? I
> > haven't been able to find anything on it.
> >
> > We are running SVN 1.13 on Apache 2, Windows 2000 Server, using LDAP
> > authentication into Active Directory.
> >
> > Thanks,
> > Brian
>
> Sorry to post again, but another possibility, especially if you are
> using mod_authz_svn, as well, is that the user has credentials cached
> that have read access but not write access to the files being checked
> in.
>
> For example if you have something like this in your authz ini file:
> [/trunk]
> foo = r
> bar = rw
>
> Then if someone checks out trunk as foo and tries to check in they will
> open a transaction as foo, but write access to trunk will fail. They
> will then get prompted for a user/password. If they they respond by
> logging in as bar, the commit will still fail, but then if they retry,
> svn will use the cached credentials for bar from the beginning.
>
> The symptom of this problem is a message like the following in the
> apache log:
> [Tue Mar 08 13:53:08 2005] [error] [client 111.222.333.444] (2)No such file or directory: Multi-author commits not supported. [501, #0]
>
> hope this helps,
>
> Dominic
>
> --
> You're so beautiful, it hurts to look at you.
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: First commit fails??
Posted by Dominic Anello <da...@danky.com>.
On 2005-03-16 09:07:09 -0500, Brian Fohl wrote:
> When someone commits a file for the first time, it always fails
> authenication. After that, on a second try, they are able to
> authenticate and commit fine. What gives? Is this a known bug? I
> haven't been able to find anything on it.
>
> We are running SVN 1.13 on Apache 2, Windows 2000 Server, using LDAP
> authentication into Active Directory.
>
> Thanks,
> Brian
Sorry to post again, but another possibility, especially if you are
using mod_authz_svn, as well, is that the user has credentials cached
that have read access but not write access to the files being checked
in.
For example if you have something like this in your authz ini file:
[/trunk]
foo = r
bar = rw
Then if someone checks out trunk as foo and tries to check in they will
open a transaction as foo, but write access to trunk will fail. They
will then get prompted for a user/password. If they they respond by
logging in as bar, the commit will still fail, but then if they retry,
svn will use the cached credentials for bar from the beginning.
The symptom of this problem is a message like the following in the
apache log:
[Tue Mar 08 13:53:08 2005] [error] [client 111.222.333.444] (2)No such file or directory: Multi-author commits not supported. [501, #0]
hope this helps,
Dominic
--
You're so beautiful, it hurts to look at you.
Re: First commit fails??
Posted by Dominic Anello <da...@danky.com>.
On 2005-03-16 09:07:09 -0500, Brian Fohl wrote:
> When someone commits a file for the first time, it always fails
> authenication. After that, on a second try, they are able to
> authenticate and commit fine. What gives? Is this a known bug? I
> haven't been able to find anything on it.
>
> We are running SVN 1.13 on Apache 2, Windows 2000 Server, using LDAP
> authentication into Active Directory.
>
> Thanks,
> Brian
I had this problem too, with the difference that we were running
Apache under Linux using mod_auth_ldap to auth against an AD server.
Unfortunately I can't say exactly what resolved it. I can say it
didn't have anything to do with the Apache or SVN setup, since we didn't
change anything between the time the problem appeared and it went away.
When this failure occurred, we'd see something like the following in the
apache error.log:
[Tue Oct 26 17:45:49 2004] [warn] [client 111.222.333.444] [29238] auth_ldap authenticate: user DOMAIN\\user_name authentication failed; URI /ec-svn/trunk/eCommerce [User not found][No such object]
Here's the search URL we're using:
AuthLDAPURL ldap://ad-server/CN=Users,DC=domain,DC=company,DC=com?sAMAccountName?sub?(objectClass=user)
I have to confess I know next to nothing about AD. When this started
happening for a user, I'd open their user account in the AD users and
groups utility, edit the comment, and save. This would fix the problem
until the AD server was rebooted. It may have been some sort of
replication issue, as the problem went away when we moved our SVN server
to a different office and pointed it to a different AD server in the
same domain.
Sorry I couldn't be more specific, but maybe someone with more AD
experience can point you in the right direction!
-Dominic
--
It all made sense until The Box.